COBIT®  5  for  Assurance  The  Introduc-on  

 presented by

Prof. Richardus Eko Indrajit indrajit@post.harvard.edu

hp +62 818 925 926

© 2013 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorisation of ISACA. Use of this publication is permitted solely for personal use and must include full attribution of the material’s source. No other right or permission is granted with respect to this work.

Cobit  5  Family  

•  Founda0on  •  Implementa0on  •  Assurance  

References  

for Assurance

Personal Copy of: Prof. Richardus Eko IndrajitPersonal Copy of: Richardus Indrajit

Process Assessment Model (PAM): Using COBIT® 5

Enabling Processes

Enabling Processes

           COBIT  5  for  Assurance    0.  Knowing  the  posture  and  profile  of  COBIT  5  Governance  of  Enterprise  IT  Philosophy  

The  Evolu0on  

Governance  Purpose  

Five  Core  Principles  

1  -­‐  Goals  Cascading  

2  -­‐  End-­‐to-­‐End  Governance  

3  –  Integrated  Framework  

4  -­‐  The  Enablers  

4  -­‐  Generic  Enabler  Anatomy  

5  -­‐  Governance  and  Management  

Process  Reference  Model  

Implementa0on  

Process  Capability  Model  

           COBIT  5  for  Assurance    1.  Understand  the  drivers,              benefits  and  target              audiences  from  an              assurance  perspec0ve.    

Drivers  for  Assurance  The main drivers for assurance in its different forms include: •  Providing interested parties

substantiated opinions on governance and management of enterprise IT as per assurance objectives

•  Defining assurance objectives in line with enterprise objectives, thus maximising the value of assurance initiatives

•  Satisfying regulatory or contractual requirements for enterprises to provide assurance over their IT arrangements

To achieve these aims, the COBIT 5 for Assurance professional guide: •  Provides guidance on how to use the

COBIT 5 framework to establish and sustain assurance provisioning and an assurance function for the enterprise

•  Provides a structured approach on how to provide assurance over enablers (all of COBIT 5’s defined enablers, e.g., processes, information, organisational structures)

•  Illustrates the structured approach with a number of concrete examples of assurance programmes

Benefits  of  the  Guidance  

•  Assurance providers can rely on the consistency, structure, context and vocabulary of the COBIT 5 framework and its related products.

•  If assurance professionals base their reviews on the same framework as that used by business and IT managers who are improving value of IT for the enterprise, everyone involved will be using a common language and it will be easier to agree on and implement any necessary improvements to governance and management arrangements.

•  This guide can be used by the assurance professional for many different purposes, including: -  Obtaining a view (based on COBIT 5 concepts such as the enablers) on current

good practices on assurance -  Learning how to use different COBIT 5 components and related concepts for

planning, scoping, executing and reporting on various types of IT assurance initiatives

-  Obtaining a view of the extent to which the value objective of the enterprise—delivering benefits whilst optimising risk and resource use—is achieved

Target  Audiences  

•  The target audience for this publication is broad, and includes: -  Assurance professionals at various governance and management layers -  Boards and audit committees, as stakeholders who commission assurance

activities -  Business and IT management, as responsible parties -  External stakeholders, including external auditors, regulators and customers

•  The intended audience for COBIT 5 for Assurance is extensive, as are the reasons for adopting and using the framework, and the benefits each group can find in it.

•  Assurance professionals also have specific standards to follow in providing their services. Section 5 of this presentation looks briefly at this aspect of assurance service provision.

         COBIT  5  for  Assurance    2.  Understand  the            components  of              assurance  ac0vi0es.  

Assurance  Components  

Generic  Engagement  Approach  

Assurance  Components  

•  Three-party relationship •  Subject matter •  Suitable criteria •  Execution •  Conclusion •  The assurance process (ties together the above

components)

Scope  of  the  Assurance  Publica0on  

In this publication, two perspectives on assurance are identified: •  Assurance function perspective—Describes what is needed in an enterprise to build

and provide assurance function(s). COBIT 5 is an end-to-end framework, meaning that it considers the provisioning and use of assurance as part of the overall governance and management of enterprise IT.

•  Assessment perspective—Describes the subject matter over which assurance needs to be provided. In this case, the subject matter is enterprise IT, which is described in ample detail in the COBIT 5 framework and COBIT® 5: Enabling Processes and is therefore not covered in detail in the assurance guide itself.

Section 3 of this presentation addresses the assurance function perspective, Section 4 addresses the assessment perspective

Two  Perspec0ves  on  Assurance  Provided  by  COBIT  5  

•  Both perspectives are built on the seven common governance and management enablers of the COBIT 5 framework.

         COBIT  5  for  Assurance    3.  Comprehend  how  to  use            COBIT  5  enablers  for            governing  and  managing              assurance  ac0vi0es.  

The  Assurance  Func0on  Perspec0ve  

•  The assurance function perspective describes how each enabler contributes to the overall provisioning of assurance, e.g.: -  Which organisational structures are required to provide assurance (board/audit

committee, audit function, etc.) -  Which information flows are required to provide assurance (audit universe, audit

plan, audit reports, etc.) •  Section 2A of the publication contains examples of contributions to assurance practices

for each of the enablers and further elaboration on each example is provided in an appendix.

•  The assurance publication introduces an expanded form of audit programme, explicitly acknowledging and addressing the seven governance and management enablers to support effective assessment and assurance provision against the COBIT 5 framework elements.

           COBIT  5  for  Assurance    4.  Comprehend  how  to            provide  assurance  over          COBIT  5  enabler  use  in          enterprises.  

The  Assessment  Perspec0ve  

•  The assessment perspective deals with the actual subject of assurance, i.e., performing actual assurance engagements, where assurance needs to be provided over the subject matter of IT.

•  This subject matter is described in full detail in the COBIT 5 framework and COBIT 5: Enabling Processes publications; the framework consists of the interconnected and interacting COBIT 5 enablers, and the process enabler is fully described in COBIT 5: Enabling Processes. Therefore, the assurance publication describes only at a high level how an assurance professional can approach providing assurance over enablers.

•  Section 2B of the assurance publication, provides: -  A detailed description of the core assurance processes, which includes a

more in-depth level of detail on the COBIT 5 processes MEA01, MEA02 and MEA03

-  A generic approach on how to provide assurance over COBIT 5 enablers

         COBIT  5  for  Assurance    5.  Understand  how  COBIT  5              for  Assurance  relates  to              other  standards.  

How  COBIT  5  for  Assurance  Relates  to  Other  Standards  •  COBIT 5 for Assurance—much like COBIT 5 itself—is an umbrella

approach for the provisioning of assurance. This section illustrates the umbrella positioning by positioning COBIT 5 for Assurance in context with a number of (IT) assurance-related standards.

•  The list of standards considered includes: -  ISACA ITAF, 2nd Edition, a professional practices framework for

IS audit/assurance -  The Institute of Internal Auditors (IIA) International Professional

Practices Framework (IPPF) Standards 2013 -  American Institute of Certified Public Accountants (AICPA)

Statement on Standards for Attestation Engagements (SSAE) 16

Thank  You    

presented by Prof. Richardus Eko Indrajit indrajit@post.harvard.edu